Defense 16 November 2015 DISTRIBUTION STATEMENT A - APPROVAL FOR - - PowerPoint PPT Presentation

defense
SMART_READER_LITE
LIVE PREVIEW

Defense 16 November 2015 DISTRIBUTION STATEMENT A - APPROVAL FOR - - PowerPoint PPT Presentation

Oct 01, 2023 213 likes •453 views

Proposed Capability-Based Reference Architecture for Real-Time Network Defense 16 November 2015 DISTRIBUTION STATEMENT A - APPROVAL FOR PUBLIC RELEASE: DISTRIBUTION IS UNLIMITED Based on work funded by the Department of Homeland Security

slide-1
SLIDE 1

Proposed Capability-Based Reference Architecture for Real-Time Network Defense

16 November 2015

DISTRIBUTION STATEMENT A - APPROVAL FOR PUBLIC RELEASE: DISTRIBUTION IS UNLIMITED

Based on work funded by the Department of Homeland Security

Gregg Tally Gregg.Tally@jhuapl.edu

slide-2
SLIDE 2

Problem Statement

  • Current asymmetric advantage to the attackers
  • Tools support automation of the attack process vs. manual cyber

defense operations

  • Attackers able to re-use tools and techniques across multiple

targets vs. ad hoc information sharing by defenders

  • Cyber-attack response times are too slow
  • Human in the loop, limited analyst time
  • Large numbers of cyber events never analyzed
slide-3
SLIDE 3

Pillars of A Cyber Ecosystem

Risk Management, Risk–Based Business Decisions Trust Assured Communications Automation Information Sharing Interoperability

Foundation Goal Technical Framework

Integrated, Adaptable, Trustworthy A Secure and Resilient Cyber Ecosystem:

Integrated Adaptive Cyber Defense (IACD) An active cyber defense ecosystem enabling near real- time network defense at the enterprise level. Trusted information sharing and cyber services across enterprises.

slide-4
SLIDE 4

Goals

  • Use human capital for cyber operations more effectively within the

community through automation.

  • Respond to cyber events as they occur through automated sensing,

sense making, decision making, and response

  • Increase the number of cyber events in an enterprise that can be

analyzed, thereby detecting intrusions earlier in the kill chain.

  • Degrade the attacker’s ability to re-use their wares across the

community through enhanced information sharing.

  • Rapidly share and ingest threat information, analytics, and effective

cyber event responses within the defender community.

  • Force attackers to develop new tools and techniques for each new

target.

  • Remove barriers to adoption for the community through

interoperability.

  • Create a market for security tools that emphasize machine-to-machine

information exchange and interoperability.

  • Enable diverse but interoperable implementations of IACD, supporting a

“bring your own enterprise” approach to integration.

slide-5
SLIDE 5

IACD Constituent Capabilities

  • Trusted Cyber Services
  • Trust Services
  • Information/Data Management

Services

  • Analytics, Reputation, and

Enrichment Services

  • Shared Situational Awareness

Services

  • Integrated Operational Action

Services

  • Trusted Information Services
  • Indicators
  • Analytics
  • Courses of Action
  • Enterprise Automated Security

Environment (EASE)

  • Enterprise Automation
  • Interoperability
  • Information Sharing
slide-6
SLIDE 6

Reference Architecture Objectives

1. Encourage and provide guidelines for implementing security automation and information sharing in enterprises with diverse legacy architectures 2. Promote commercial adoption of standardized machine-to- machine interfaces by communicating IACD needs and requirements to vendors

slide-7
SLIDE 7

Approach to the Reference Architecture

  • Capability-based approach
  • Focus on the required capabilities and interactions between them
  • Support many different vendor solutions
  • Acknowledge and support a “bring your own enterprise” model
  • Product-agnostic, plug-and-play architecture
  • Allow vendors to innovate
  • For each capability, specify the minimum functionality necessary to

ensure the capability meets the functional objectives, including interoperability

  • Only specify the essential functions
  • Avoid tight coupling between components
  • Support multi-vendor solutions and simplify integration
  • Be as stateless as possible within a capability
  • Increase robustness of the solution and prevent resource

exhaustion

slide-8
SLIDE 8

Enterprise Automated Security Environment (EASE)

EASE Architectural Views IACD Constituent Capabilities Focus of briefing

slide-9
SLIDE 9

Trust Services: Security, Identity, Access Control

Host Protections Network Protections Boundary Protections

Defense Services

Repositories

Sensing I/F SM Analytic Framework DM Engine Response Controllers Actuator IFs

Data Feeds Analytics COAs Bus Rules Response Actions

Secure Orchestration, Control, Management

Presentation and Ops Services Content Services

Conceptual View

Functionality Inside the Enterprise

9

Control Message Infrastructure Information Sharing Infrastructure

Presentation and Ops Services

Management Interface Analytics/Workflow Development Visualization

Sharing Infrastructure

slide-10
SLIDE 10

Conceptual View

Across/Among Enterprises

10

Regional: Sectors, EOCs, Communities National/Global: NCCIC, GEOC, National Cyber Centers

Trusted Information Sharing Trusted Information Sharing

Local: Enterprise, D/A, CIKR, B/P/C

v v v v v v v

slide-11
SLIDE 11

Trust Services: Security, Identity, Access Control

Control Message Infrastructure

External Data Feeds

Sensor Data Cyber Events Cyber Events, Shared COAs Response Actions Sensor Data, Shared Analytics Response Actions, Information Sharing Actions Course of Action Share COAs, Indicators Analytics Shared COAs, Indicators, Analytics Course of Action Sensor Data, Shared Indicators

Enterprise Perimeter

Share Indicators

Trusted Cyber Services Trusted Information Sharing

Decision-Making Engine Information Sharing Infrastructure Response Controller

Repositories

Log Data Intel Configuration Blackboard

Content

COAs COA Policy Mission Models Community Coordination Channel Community Data Channel External Sharing I/F

Secure Orchestration, Control, Management

Messaging View

Centralized Control of Service Orchestration Approach

Configuration Directives Status

Sensing /IF Actuator I/F Sense Making Analytic Framework Presentation & Ops Services

Sensor Data Actuator Cmds S/A Control/Data Channels Content

Analytics

Defense Services

Host Protections Network Protections Boundary Protections

slide-12
SLIDE 12

Trust Services: Security, Identity, Access Control Sensing /IF Actuator I/F Decision-Making Engine Sense Making Analytic Framework Information Sharing Infrastructure Response Controller

External Data Feeds

Control Message Infrastructure

Message Bus

Sensor Data Cyber Events Cyber Events, Shared COAs Response Actions Sensor Data, Shared Analytics Response Actions, Information Sharing Actions Course of Action Share COAs, Indicators Analytics Shared COAs, Indicators, Analytics

Presentation & Ops Services

All Messages Configuration Directives Course of Action Sensor Data Actuator Cmds S/A Control/Data Channels

Repositories

Log Data Intel Configuration Blackboard

Content

COAs COA Policy Mission Models

Shared Indicators Content

Analytics

Messaging View

Decentralized Control of Service Orchestration Approach

Enterprise Perimeter

Share Indicators

Trusted Cyber Services Trusted Information Sharing

Community Coordination Channel Community Data Channel External Sharing I/F

Defense Services

Host Protections Network Protections Boundary Protections Secure Orchestration, Control Secure Orchestration, Control Secure Orchestration, Control Secure Orchestration, Control Secure Orchestration, Control Secure Orchestration, Control

Configuration, not a component!

slide-13
SLIDE 13

Centralized vs. Decentralized (Hypotheses)

Centralized

  • Advantages
  • Control logic easily managed

in one component

  • Existing Orchestrator products

satisfy functionality

  • Central point of management
  • Disadvantages
  • Potential bottleneck or

resource exhaustion at centralized coordinator

  • New services require

additional logic in centralized coordinator

Decentralized

  • Advantages
  • Scalability – replicate stateless

components to increase capacity

  • Extensibility – add new

components as data producers

  • r consumers
  • Disadvantage
  • Management, debugging

challenges

  • Control Message Infrastructure

must be high performance – all logic at the data consumers

slide-14
SLIDE 14

Repos

&

Models

Sensor/ Actuator Interface Sense-Making Analytic Framework Decision- Making Engine Response Controller Sharing Interface

Functional View

Information Sharing

Analytics/

Indicators Indi- cators

* COAs, Analytics, Indicators, Recommended Actions

* *

Analyst Analyst Op. Auth

Op. Admin

Sensing

Inputs Acting Points

Control Message Infrastructure Trust Services

External: Third-party Services Intel Feeds Intra IACD: Trusted Cyber Services Trusted Info. Services

COAs,

Recommended

Actions

Secure Orchestration, Control, Management

slide-15
SLIDE 15

Functional View

Sensor Actuator Interface

Raw Sensor Data Sensor/ Actuator Control

  • Op. Admin

Status Info Sensor Data Sensor/Actuator Control Info

Sensor/ Actuator Translator Sensor/ Actuator Manager S/A Publisher

Sensors and actuators have translators and managers that bridge the proprietary interfaces (Raw Sensor Data) to the standard Control Message Infrastructure format (Sensor Data)

slide-16
SLIDE 16

Functional View

Sense Making Analytic Framework

Sensor Data, Intel Data

Cyber Event

Shared Analytic

Evaluator Analytics Manager

Analytic Rule Set

Intel Repo Update Analyst I/O

Evaluators use analytics to assess Sensor Data against Intel Data, determine if a Cyber Event has

  • ccurred
slide-17
SLIDE 17

Functional View

Decision-Making Engine

Subscription Feed

  • Op. Auth.

Selection Operations Authority I/O COA Policy Update

Selector COA Manager Inference Engine

COA Policy Model Mission Models Repo

Cyber Event

Op. Auth I/O

Given a Cyber Event, DM-Engine determines a course of action (COA) to minimize risk while considering mission impact of the alternative COAs

COA Selection Notice

Mission Manager

slide-18
SLIDE 18

Functional View

Response Action Controller

  • Op. Admin

Status Info

Characterizer Workflow Engine COA to Workflow Translator

Sensor/Actuator Control Info Subscribed Event Notice COA Selection Notice Notice to Operational Authority Share Request/ Status* * Incoming status includes Tip/Event/COA sharing notice Workflow

Selected COAs (COA Selection Notice), with parameters for targets and other options, converted to specific Workflows containing Sensor/Actuator Control Info for execution

slide-19
SLIDE 19

Functional View

Sharing Interface

Indicators Share Req/ Status COA Update

Sharing Translator Community Data Channel Community Coordination Channel Sharing Manager External Sharing Interface

Analytics Update

External: Third-party Services Intel Feeds COAs, Analytics, Indicators Recommended Actions

Intra IACD: Trusted Cyber Services Trusted Info. Services Peer Enterprises

COAs, Analytics, and Indicators may be received from the community or shared with the community Recommended Actions may be received as part of a coordinated response

slide-20
SLIDE 20

Work To Date

  • Partially completed the architecture views presented in this

briefing

  • Completed detailed Functional Decomposition
  • Assessed the architecture against representative use cases
  • Executed four spirals to demonstrate the concept feasibility by

integrating commercial products:

  • Spiral 0: Auto-enrichment of troubleshooting and analyst activity;

detection and mitigation of malware

  • Spiral 1: Generation of indicators and tips for sharing, and direction

to other enterprises; indicators and tips received from external source and initiation of IACD response

  • Spiral 2: Indicators and tips received from external source and

initiation of IACD response

  • Spiral 3: Sharing COAs between enterprises
slide-21
SLIDE 21

Next Steps

  • Product Vendors:
  • We need your feedback on the reference architecture!
  • We need your help to develop the open interface and interoperability

specifications

  • Potential Adopters:
  • We need your feedback on the reference architecture!
  • Use cases for your environment, including mobility, managed service

consumers, industrial control systems, and geographically distributed networks

  • The IACD Challenge:
  • We are looking for vendors and integrators to instantiate some or all of

the architecture and demonstrate the capabilities

  • Opportunity to demonstrate the results at a future Community Day

event:

  • https://secwww.jhuapl.edu/iacdcommunityday/
slide-22
SLIDE 22

Conclusions

  • IACD focuses on cyber defense information sharing,

automation, and interoperability

  • Reference Architecture serves as a framework for vendors and

adopters to complete the interface definitions required for interoperable solutions

  • Prior spiral demonstrations have shown the feasibility and

benefits of security automation

  • The next steps require support from industry to define the

interfaces and messages that will enable interoperability

slide-23
SLIDE 23